Page 1354 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 1354
common criminal proceedings, this may include items such as a
murder weapon, clothing, or other physical objects. In a computer
crime case, real evidence might include seized computer equipment,
such as a keyboard with fingerprints on it or a hard drive from a
hacker’s computer system. Depending on the circumstances, real
evidence may also be conclusive evidence, such as deoxyribonucleic
acid (DNA), that is incontrovertible.
Documentary Evidence Documentary evidence includes any
written items brought into court to prove a fact at hand. This type of
evidence must also be authenticated. For example, if an attorney wants
to introduce a computer log as evidence, they must bring a witness (for
example, the system administrator) into court to testify that the log
was collected as a routine business practice and is indeed the actual
log that the system collected.
Two additional evidence rules apply specifically to documentary
evidence:
The best evidence rule states that when a document is used as
evidence in a court proceeding, the original document must be
introduced. Copies or descriptions of original evidence (known as
secondary evidence) will not be accepted as evidence unless
certain exceptions to the rule apply.
The parol evidence rule states that when an agreement between
parties is put into written form, the written document is assumed
to contain all the terms of the agreement and no verbal agreements
may modify the written agreement.
If documentary evidence meets the materiality, competency, and
relevancy requirements and also complies with the best evidence and
parol evidence rules, it can be admitted into court.
Chain of Evidence
Real evidence, like any type of evidence, must meet the relevancy,
materiality, and competency requirements before being admitted
into court. Additionally, real evidence must be authenticated. This
can be done by a witness who can actually identify an object as
